Authentication and control of encryption keys

ABSTRACT

An apparatus, a method, and a system are presented in which the apparatus includes an interface control circuit that may be configured to receive a message including a cryptographic keyword and a policy value. The policy value may include one or more data bits indicative of one or more policies that define allowable usage of the cryptographic keyword. The apparatus also includes a security circuit that may be configured to extract the cryptographic keyword and the policy value from the message, and to apply at least one policy of the one or more policies to usage of the cryptographic keyword in response to a determination that an authentication of the message succeeded.

The present application is a continuation of U.S. application Ser. No.16/133,625, filed Sep. 17, 2018 (now U.S. Pat. No. 10,713,351), which isa continuation of U.S. application Ser. No. 15/678,502, filed Aug. 16,2017 (now U.S. Pat. No. 10,078,749), which is a continuation of U.S.application Ser. No. 14/696,581, filed Apr. 27, 2015 (now U.S. Pat. No.9,747,435); the disclosures of each of the above-referenced applicationsare incorporated by reference herein in their entireties.

BACKGROUND Technical Field

This disclosure relates to systems-on-a-chip (SOCs), and moreparticularly to security on SOCs.

Description of the Related Art

Because SOCs incorporate significant functionality in a small formfactor, and because SOCs can be made power efficient, SOCs have becomepopular devices to include in portable electronic devices such aportable phones (cell phones), smart phones, personal digital assistants(PDAs), tablet computers, etc. These portable electronic devices nowhave significant processing power and are increasingly being used forfinancial management and transactions, user communications other thanvoice (text, email, web browsing, etc.), streaming video, etc.Accordingly, SOCs may operate on private user data as well as databelonging to others (e.g., copyrighted audio, video, and still images).Therefore, the security of the SOC and its ability to resist attacksmeant to compromise secure data are becoming increasingly importantfeatures.

Some SOCs may utilize encryption to restrict access to secure data. Theuse of encryption, however, may necessitate a transfer of a keyword usedfor encrypting and decrypting the secure data between the SOC and acomponent with which the secure data is being shared. The use of thekeyword, however, may introduce a vulnerability to attacks.

SUMMARY OF THE EMBODIMENTS

Various embodiments of a system, an apparatus, and a method ofauthenticating and control of encryption keys are disclosed. Broadlyspeaking, an apparatus may include a security circuit, a processor, andan interface controller. The security circuit may be configured togenerate a keyword. The processor may be configured to determine one ormore policies to be applied to usage of the keyword, and to generate apolicy value. The policy value may include one or more data bitsindicative of the determined one or more policies. The interfacecontroller may be configured to generate a message including the keywordand the policy value. The interface controller may also be configured tosend the message.

In another embodiment, the one or more policies may include anindication of one or more functional units of a plurality of functionalunits that are allowed to use the keyword. In a further embodiment, theone or more policies may include an allowable size for the keyword.

In a given embodiment, the one or more policies may include anindication that the keyword is allowed to be used for encrypting dataand an indication that the keyword is allowed to be used for decryptingdata. In another embodiment, the one or more policies include anindication of an amount of time for which the keyword may be used.

In one embodiment, the security circuit may be further configured toencrypt the keyword. In a further embodiment, the one or more policiesmay include an indication of one or more additional operations requiredto be performed on the message to decrypt the keyword.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a block diagram of an embodiment of a system on a chip (SOC)including a security enclave processor (SEP).

FIG. 2 is a block diagram illustrating an embodiment of a SEP.

FIG. 3 is a table illustrating an embodiment of a format for sending akeyword by a SEP.

FIG. 4 is a flow diagram of a method for operating a SEP interface.

FIG. 5 illustrates a flow diagram describing operational aspects ofreceiving a keyword from a SEP interface.

FIG. 6 is a block diagram of one embodiment of a system that includesthe SOC of FIG. 1.

Specific embodiments are shown by way of example in the drawings andwill herein be described in detail. It should be understood, however,that the drawings and detailed description are not intended to limit theclaims to the particular embodiments disclosed, even where only a singleembodiment is described with respect to a particular feature. On thecontrary, the intention is to cover all modifications, equivalents andalternatives that would be apparent to a person skilled in the arthaving the benefit of this disclosure. Examples of features provided inthe disclosure are intended to be illustrative rather than restrictiveunless stated otherwise.

As used throughout this application, the word “may” is used in apermissive sense (i.e., meaning having the potential to), rather thanthe mandatory sense (i.e., meaning must). Similarly, the words“include,” “including,” and “includes” mean including, but not limitedto.

Various units, circuits, or other components may be described as“configured to” perform a task or tasks. In such contexts, “configuredto” is a broad recitation of structure generally meaning “havingcircuitry that” performs the task or tasks during operation. As such,the unit/circuit/component can be configured to perform the task evenwhen the unit/circuit/component is not currently on. In general, thecircuitry that forms the structure corresponding to “configured to” mayinclude hardware circuits. Similarly, various units/circuits/componentsmay be described as performing a task or tasks, for convenience in thedescription. Such descriptions should be interpreted as including thephrase “configured to.” Reciting a unit/circuit/component that isconfigured to perform one or more tasks is expressly intended not toinvoke 35 U.S.C. § 112, paragraph (f), interpretation for thatunit/circuit/component.

The scope of the present disclosure includes any feature or combinationof features disclosed herein (either explicitly or implicitly), or anygeneralization thereof, whether or not it mitigates any or all of theproblems addressed herein. Accordingly, new claims may be formulatedduring prosecution of this application (or an application claimingpriority thereto) to any such combination of features. In particular,with reference to the appended claims, features from dependent claimsmay be combined with those of the independent claims and features fromrespective independent claims may be combined in any appropriate mannerand not merely in the specific combinations enumerated in the appendedclaims.

DETAILED DESCRIPTION

In some embodiments, SOCs may operate on private user data (e.g., auser's home address, phone numbers, and credit card information) as wellas data belonging to others (e.g., copyrighted audio, video, and stillimages). SOCs operating on such data, therefore, may require an abilityto resist attacks meant to compromise secure data. In such embodiments,SOCs may utilize encryption to restrict access to secure data or keyedhashing functions to authenticate another system with which the SOC issharing the secure data. The use of encryption and keyed hashes,however, may necessitate a transfer of a keyword (also referred toherein as a “key” or “keys”) used for encrypting and decrypting thesecure data between the SOC and another system with which the securedata is being shared. The use of the keyword itself, however, mayintroduce a vulnerability to attacks. Once an SOC sends a keyword toanother system, such as, for example, a memory device, the SOC may notbe able to control the usage of the keyword, for example, how long thekeyword may be used. Overuse of a keyword, may, in some embodiments,allow a hacker enough time to determine the keyword through variousknown hacking strategies.

Embodiments presented herein may demonstrate methods for establishing aset of rules or policies for usage of a security keyword. Byestablishing such policies, an SOC may be able set one or more rulesgoverning usage of the keyword by internal components or externalsystems configured to abide by the policies. Such control over the usageof keywords may provide additional protection to secure and sensitivedata.

Moving to FIG. 1, a block diagram of one embodiment of a system on achip (SOC) is shown. The SOC 10 is coupled to a memory 12. In theillustrated embodiment, the components of the SOC 10 include a centralprocessing unit (CPU) complex 14, a security enclave processor (SEP) 16,peripheral components 18A-18B (more briefly, “peripherals”), a memorycontroller 22, and a communication fabric 27. The components 14, 16,18A-18B, and 22 are coupled to the communication fabric 27. The memorycontroller 22 may be coupled to the memory 12 during use, and mayinclude one or more configuration registers in one embodiment. Invarious embodiments, the CPU complex 14 may include one or moreprocessors and one or more cache memories (both not shown). The CPUcomplex may also include a cryptographic unit (CU) 38. As shown in FIG.1, the peripheral component 18B and the memory controller 22 may alsoinclude a respective cryptographic unit 38. In the illustratedembodiment, the SEP 16 includes one or more processors 32, a secure bootROM 34, and one or more security peripherals 36. The processor(s) 32 maybe referred to herein as SEP processor(s) 32. It is noted that in oneembodiment, the SOC 10 may be integrated onto a single semiconductorsubstrate as an integrated circuit “chip.” In other embodiments,however, the components may be implemented on two or more discrete chipsin a system.

The SEP 16 is an example of a security circuit. Generally, a securitycircuit may be any circuitry that is configured to perform one or moresecure services for the rest of the SOC 10 (e.g., the other componentsin the SOC 10). That is, a component may transmit a request for a secureservice to the security circuit, which may perform the secure serviceand return a result to the requestor. The result may be an indication ofsuccess/failure of the request and/or may include data generated byperforming the service. For example, secure services may include variouscryptographic operations such as authentication, encryption, decryption,etc. The result of an authentication operation may be a pass/failindication, for example. The result of encryption/decryption operationmay be the encrypted/decrypted data. Secure services may include securekey generation, where the keys may be used by components external to thesecurity circuit for various security functions such as encryption orauthentication. The result of secure key generation may be the key, oran encrypted key as described in greater detail below for an embodiment.

Secure services may include any services related to ensuring theprotection of private data and/or preventing the unauthorized use of thesystem including the SOC 10. Protecting private data may includepreventing unauthorized access (e.g., theft of data) and/or preventingcorruption/destruction of the data. Protecting private data may includeensuring the integrity and confidentiality of the data, and theavailability of the data to authorized access. Preventing unauthorizeduse may include, e.g., ensuring that a permitted use is paid for (e.g.,network access by a portable device) and may also include deterringnefarious acts. Nefarious acts may include, for example, use of a deviceto consume power from a battery of the device so that authorized use iscurtailed due to a lack of power, acts to cause damage to the system orto another system that interacts with the system, use of the device tocause corruption of data/software, etc. Secure services may includeensuring that the system is available to authorized users as well, andauthenticating authorized users.

A security circuit may include any desired circuitry (e.g.,cryptographic hardware, hardware that accelerates certain operationsthat are used in cryptographic functions, etc.). A security circuit neednot include a processor. In some embodiments, however, such as, e.g.,the embodiment shown in FIG. 1, a processor is included. The SEPprocessor 32 may execute securely loaded software. For example, thesecure read-only memory (ROM) 34 may include software executable by theSEP processor 32. One or more of the security peripherals 36 may includean external interface, which may be connected to a source of software.The software from the source may be authenticated or otherwise verifiedas secure, and may be executable by the SEP processor 32. In someembodiments, software may be stored in a trust zone in the memory 12that is assigned to the SEP 16 and the SEP processor 32 may fetch thesoftware from the trust zone for execution.

The SEP 16 may be isolated from the rest of the SOC 10 except for acarefully-controlled interface (thus forming a secure enclave for theSEP processor 32, the secure boot ROM 34, and the security peripherals36). Because the interface to the SEP 16 is carefully controlled, directaccess to the SEP processor 32, the secure boot ROM 34, and the securityperipherals 36 may be prevented. Various mechanisms may be used toprevent such direct access. For example, in some embodiments a securemailbox mechanism may be implemented. In the secure mailbox mechanism,external devices may transmit messages to an inbox. The SEP processor 32may read and interpret the message, determining the actions to take inresponse to the message. Response messages from the SEP processor 32 maybe transmitted through an outbox, which may also be part of the securemailbox mechanism. In such an embodiment, no other access from theexternal devices to the SEP 16 may be permitted. As described in greaterdetail below in conjunction with the description of FIG. 2, the SEP 16may send encrypted and/or wrapped keys to some peripherals (e.g., 18A,18B). In addition, the keys may include policy information that maycontrol how the keys are used.

The security peripherals 36 may be hardware configured to assist in thesecure services performed by the SEP 16. For example, the securityperipherals may include authentication hardware implementing variousauthentication algorithms, encryption hardware configured to performencryption, secure interface controllers configured to communicate overa secure interface to an external (to the SOC 10) device, etc.

Thus, in the illustrated embodiment, the SEP 16 may be an SOC within anSOC. The SEP 16 may be relatively autonomous from the remainder of theSOC 10. While communication between the SEP 16 and the remainder of theSOC 10 is supported, the SEP 16 may execute independent of the SOC 10and vice versa.

The CPU complex 14 may include one or more CPU processors (not shown)that serve as the CPU of the SOC 10. The CPU of the system includes theprocessor(s) that execute the main control software of the system, suchas an operating system. Generally, software executed by the CPU duringuse may control other components of the system to realize a desiredfunctionality (except that, in some embodiments, the operating systemmay not control the SEP 16). The CPU processors may also execute othersoftware, such as application programs. The application programs mayprovide user functionality, and may rely on the operating system forlower level device control. Accordingly, the CPU processors may also bereferred to as application processors. The CPU complex may furtherinclude other hardware such as cache memory and/or an interface to theother components of the system (e.g., an interface to the communicationfabric 27).

The peripherals 18A-18B may be any set of additional hardwarefunctionality included in the SOC 10. For example, the peripherals18A-18B may include video peripherals such as cameras, camerainterfaces, image processors, video encoder/decoders, scalers, rotators,blenders, graphics processing units, display controllers, etc. Theperipherals may include audio peripherals such as microphones, speakers,interfaces to microphones and speakers, audio processors, digital signalprocessors, mixers, etc. The peripherals may include interfacecontrollers for various interfaces external to the SOC 10 (e.g., theperipheral 18B) including interfaces such as Universal Serial Bus (USB),peripheral component interconnect (PCI) including PCI Express (PCIe),serial and parallel ports, as well as other input/output (I/O)interfaces, etc. The peripherals may include networking peripherals suchas media access controllers (MACs). Any set of hardware may be included.

The memory controller 22 may generally include the circuitry forreceiving memory requests from the other components of the SOC 10 andfor accessing the memory 12 to complete the memory requests. The memorycontroller 22 may be configured to access any type of memory 12. Forexample, the memory 12 may be static random access memory (SRAM),dynamic RAM (DRAM) such as synchronous DRAM (SDRAM) including doubledata rate (DDR, DDR2, DDR3, etc.) DRAM. Low power/mobile versions of theDDR DRAM may be supported (e.g. LPDDR, mDDR, etc.). In the illustratedembodiment, the memory controller 22 may include configuration registers(not shown) to identify trust zones within the memory address spacemapped to the memory 12.

The communication fabric 27 may be any communication interconnect andprotocol for communicating among the components of the SOC 10. Thecommunication fabric 27 may be bus-based, including shared busconfigurations, cross bar configurations, and hierarchical buses withbridges. The communication fabric 27 may also be packet-based, and maybe hierarchical with bridges, cross bar, point-to-point, or otherinterconnects.

The cryptographic units 38 may each perform one or more cryptographicfunctions for the components in which they are included. For example,each cryptographic unit 38 may be used to encode/decode data using oneor more encryption algorithms. Each individual cryptographic unit 38 mayalso be capable of performing, in whole or in part, a keyed hashingfunction. A “keyed hashing function” refers to a hash function thatrequires a keyword to generate a hash value. In addition to performingcryptographic functions, the cryptographic units 38 may be designed toreceive policies associated with a keyword received from the SEP 16 andimplement the policies on the keyword before using the keyword.

It is noted that the number of components of the SOC 10 (and the numberof subcomponents for those shown in FIG. 1, such as within the CPUcomplex 14 and the SEP 16) may vary from embodiment to embodiment. Theremay be more or fewer of each component/subcomponent than the numbershown in FIG. 1.

Turning to FIG. 2, a block diagram illustrating more detailed aspects ofthe embodiment of the SEP of FIG. 1 is shown. In the illustratedembodiment, the SEP 16 includes the SEP processor 32, securityperipherals 36A-36E, the secure ROM 34, secure mailbox 60, filter 62,and fuses 68. As shown, the filter 62 is coupled to the communicationfabric 27 and to a local interconnect 70 to which the other componentsof the SEP 16 are also coupled. Like the communication fabric 27, thelocal interconnect 70 may have any configuration (bus-based,packet-based, hierarchical, point-to-point, cross bar, etc.). Thesecurity peripheral (Encrypt) 36B is coupled to the fuses 68 and to asecure bus 72. The security peripheral (Encrypt) 36A is coupled to theSEP processor 32, which is in turn coupled to the secure mailbox 60.

The filter 62 may be configured to tightly control access to the SEP 16to increase the isolation of the SEP 16 from the rest of the SOC 10, andthus the overall security of the SOC 10. More particularly, in someembodiments, the filter 62 may permit read/write operations from thecommunication fabric 27 to enter the SEP 16 only if the operationsaddress the secure mailbox 60. Other operations may not progress fromthe fabric 27 into the SEP 16. Further, the filter 62 may permit writeoperations to the address assigned to the inbox portion of the securemailbox 60, and read operations to the address assigned to the outboxportion of the secure mailbox 60. All other read/write operations may beprevented by the filter 62. In one embodiment, the filter 62 may respondto other read/write operations with an error, or with garbage data. Thefilter 62, however, may allow read/write operations that come from theSEP 16. Likewise, the filter 62 may not filter responses from the fabric27 that are provided in response to read/write operations issued by theSEP 16.

The secure mailbox 60 may include an inbox and an outbox. Both the inboxand the outbox may be first-in, first-out buffers (FIFOs) for data. Thebuffers may have any size (e.g. any number of entries, where each entryis capable of storing data from a read/write operation). Particularly,the inbox may be configured to store write data from write operationssourced from the fabric 27 (e.g., issued by one of the CPU processors).The outbox may store write data from write operations sourced by theprocessor 32 (which may be read by read operations sourced from thefabric 27, e.g., read operations issued by one of the CPU processors).

In one embodiment, write data for write operations generated by the SEPprocessor 32 that are to be transmitted by the SEP 16 via the fabric 27may optionally be encrypted. The security peripheral (encrypt) 36A maybe an encryption circuit configured to encrypt the write data as it isprovided by the processor to be transmitted on the fabric 27. Anattribute of the write operation issued by the SEP processor 32 mayindicate whether or not the data is to be encrypted. The attribute maybe a packet field, in packet-based embodiments, a signal transmittedwith the write operation, in bus-based embodiments, or may betransmitted in any other desired fashion. The encryption circuit 36A mayimplement any suitable encryption algorithm.

While the encryption circuit 36A is shown in line between the SEPprocessor 32 and the local interconnect 70, the encryption circuit 36Amay actually be coupled in parallel with the processor to the localinterconnect 70. The encryption circuit 36A may capture the write data(and the filter circuit 62 may ignore the write data) from the SEPprocessor 32 on the local interconnect 70 responsive to the encryptionattribute indicating encryption, and the encryption circuit 36A mayencrypt the write data and supply the encrypted write data on the localinterconnect 70 to the filter 62 (which may relay the encrypted writedata on the communication fabric 27 as the data for the writeoperation).

The secure ROM 34 is coupled to the local interconnect 70, and mayrespond to an address range assigned to the secure ROM 34 on the localinterconnect 70. The address range may be hardwired, and the processor32 may be hardwired to fetch from the address range at boot in order toboot from the secure ROM 34. The filter 62 may filter addresses withinthe address range assigned to the secure ROM 34 (as mentioned above),preventing access to the secure ROM 34 from requestors external to theSEP 16. As mentioned previously, the secure ROM 34 may include the bootcode for the SEP 16. Additionally, in some embodiments, the secure ROM34 may include other software executed by the SEP processor 32 duringuse (e.g. the code to process inbox messages and generate outboxmessages, code to interface to the security peripherals 36A-36E, etc.).In an embodiment, the secure ROM 34 may store all the code that isexecuted by the SEP processor 32 during use.

A second encryption circuit (encrypt) 36B is included as a securityperipheral, in this embodiment. The second encryption circuit 36B mayimplement any suitable encryption algorithm. In an embodiment, thesecond encryption circuit 36B is responsible for secure key generation.In such an embodiment, the second encryption circuit 36B is configuredto output a key in hardware (e.g., via secure bus 72) to cryptographiccircuits and/or other circuitry within SOC 10 and external to the SEP 16such as the I/O peripherals, for example, which may use keys. In someembodiments, the key is sent to another block within the SEP 16, suchas, e.g., the fuses 68, to be output external to the SEP 16. The outputkey may be a wrapping key in some embodiments, which may be used toencrypt a secure key. Wrapping keys may be sent to other cryptographiccircuits via secure bus 72, rather than through filter 62 andcommunication fabric 27, to avoid exposure of the wrapping keyword toany software processes that may be running in CPU complex 14. Theencrypted key, however, may be provided to software, preventing theunencrypted secure key from being exposed to software. The software mayprovide the encrypted key to the SOC cryptographic unit, which maydecrypt the key using the wrapping key (received via secure bus 72) toobtain the secure key. The secure key may then be used for otherencryption/decryption operations in the SOC cryptographic unit.Additional details will be provided further below.

In some embodiments, the SEP 16 may dictate how the keys may be used bycertain other circuits and peripherals. Accordingly, in oneimplementation, the SEP processor 32 may execute software that maymaintain and provide key policy information to the second encryptioncircuit 36B to be included with the secure key during the wrappingencryption. In such embodiments, the secure key may then be usedaccording to the policy information. When a given encryption/decryptionengine receives an encrypted key, it may authenticate and decrypt it(using the separately received wrapping key), producing the secure key.The given encryption/decryption engine may then enforce the policyincluded with the secure key. It is noted that in one embodiment, theencrypted keys may be provided in clear text form.

In one embodiment, there may be a variety of policies that may specifyhow the various wrapped security keys may be used. A policy field may beincluded with the secure key. The policy field may have a number of bitsthat may be grouped to form sub-fields that specify the key usage.Examples of key policies may include an indication of which componentsare allowed to use the key, an allowable size (number of bits) for thekey, additional operations required to unwrap the secure key for use, anindication if the key may be used for encrypting data, an indication ifthe key may be used for decrypting data, an indication of with whichencryption algorithms the key may be used, an indication of which keyshould be used if more than one secure key is included in the wrapper,and an indication of an amount of time for which the key may be used,i.e., an expiration time and/or date. Other key policies arecontemplated and may be included in other embodiments.

As shown in FIG. 2 the second encryption circuit 36B is coupled to fuseblock (fuses) 68. The fuses 68 may be any mechanism that may fix valuesin hardware at the time of manufacture. To “blow” or “blowing” a fusemay refer to an operation that changes a state of the fuse. For example,fuses may be selectively blown by laser or electrical activity duringmanufacture. A blown fuse may provide a binary one, and an unblown fusemay provide a binary zero, or vice versa. By selectively blowingmultiple fuses, a multi-bit binary value may be generated.

More particularly, the fuses 68 may be blown to create a unique valuefor each instance of the SOC 10. That is, each instance of the SOC 10may have the fuses blown in a different way so that the unique value isdifferent for every SOC 10 manufactured. Thus, the unique value is aninstance-specific value. If the unique value is used in generation ofkeys, those keys will be different than keys generated on anotherinstance of SOC 10 even if other data used to generate the keys is thesame between the different instances. The encryption circuit 36B mayfurther include seeds that may be used with the unique value to generatekeys. The seeds may be the same for each instance of the SOC 10. Thatis, the seeds may be instance-invariant. In an embodiment, two uniquevalues may be provided from the fuses 68. More or fewer unique valuesmay be provided from the fuses 68 in other embodiments.

An authentication circuit 36C may be another example of a securityperipheral. The authentication circuit 36C may implement anauthentication algorithm. For example, the authentication circuit 36Cmay implement a keyed-hash message authentication code (HMAC), or anyother suitable authentication algorithm. The authentication circuit 36Cmay be used to validate the authenticity of a block of data or toauthenticate the identity of a sender of the block of data. In additionto the authentication circuit 36C, there may be one or more othersecurity peripherals 36D for performing various other securityoperations, such as, for example, random number generation and keystorage/management.

In addition to security peripherals designed to perform specificfunctions, there may also be security peripherals that are interfaceunits for secure interfaces such as the secure interface unit 36E. Inthe illustrated embodiment, the secure interface unit 36E may be aninterface to an off SOC 10 (“off-chip”) secure memory. For example, theinterface may an interface to an off SOC Smart Card.

The security peripherals 36B-36E may have programming interfaces, whichmay be used by the SEP processor 32 (and more particularly by softwareexecuting on the SEP processor 32) to invoke the security peripherals38B-38E to perform a particular task. For example, the peripherals mayinclude registers (not shown) that may be read and written to controloperation of the security peripherals. The peripherals may include acommand interface that receives and interprets write operations ascommands to be performed. Any interface for invoking the securityperipherals may be used.

It is noted that the computing system of FIG. 2 is merely an embodimentfor demonstrative purposes. Other embodiments may include differentcomponents and different numbers of components in the powered-down andpowered-on power domains. In some embodiments, a variety of powerdomains with varying voltage levels may be included.

Moving now to FIG. 3, a table is presented illustrating an embodiment ofmessage format for sending one or more keywords that include one or morepolicies controlling the use of the keyword(s). Table 300 may apply tokeywords generated in a security enclave processor, such as, forexample, the SEP 16 shown in FIG. 2. Table 300 includes three columns:bit field 301, data bits 302, and description 303. Bit field 301includes a name for the corresponding bit field of the message. Databits 302 indicates a number of bits of a given bit field and bitpositions of the given bit field within the message. Description 303includes a brief description of the corresponding bit field.

The message format of table 300 may correspond to a data packetgenerated in the SEP 16. More specifically, in some embodiments, thedata packet may be generated, for example, in the second encryptioncircuit 36B. In the illustrated embodiment, the bit field 301 labeled“keyword select” is a single bit corresponding to bit 0 (abbreviated as“b”) of the data packet. Keyword select may determine which keywordshould be used if more than one keyword is included in the data packet,with a b0 value of ‘0’ corresponding to keyword ‘A’ and a b0 value of‘1’ corresponding to keyword ‘B.’ In some embodiments, a cryptographicalgorithm may be used which uses two keywords (e.g., a public/privatekey combination may be used), in which case the keyword select field maybe ignored and both keywords used by the algorithm.

The bit field 301 “allowed algorithms” comprises bits 1-4 of the datapacket. Allowed algorithms may determine with which cryptographicalgorithm or algorithms the included keyword(s) may be used. In thepresent example, four bits are assigned, with each bit enabling ordisabling use of the keyword(s) for a corresponding cryptographicalgorithm. In other embodiments, the bit field may be treated as asingle value which may be used to determine the allowed algorithms.

The “allowed modules” bit field 301 comprises bits 5-8 in the datapacket. Allowed modules may indicate which modules in SOC 10 are allowedto use the included keyword(s). As illustrated, each bit of the bitfield may allow or disallow a respective module to use the includedkeyword(s). As with the allowed algorithms bit field, the allowedmodules bit field may, alternatively, be treated as a single value whichmay be used to determine the allowed modules, such as, for example, asan index value to a look-up table.

The bit field 301 “keyword size” consists of bits 9-10 of the datapacket and may indicate a size or length of the included keyword orkeywords. As shown in table 300, the two bits forming keyword size maycreate a 2-bit value indicating one of four keyword size options. The“direction” bit field 301 includes bits 11-12 of the data packet and mayindicate if the keyword(s) may be used for encryption, decryption, orboth. In some embodiments, a third bit may be included to indicate ifthe keyword(s) may be used for keyed hashing functions, such as a SHAfunction.

The “additional operations” bit field 301 includes bits 13-15 of thedata packet and may designate additional operation to be performed onthe keyword(s) before the keyword(s) can be used. Each bit of theexample bit field indicates if a respective operation needs to beperformed. In the illustrated example, additional operations includedecrypting the key, combining keyword ‘A’ and keyword ‘B’ such as by anexclusive ‘OR’ operation, and performing a descrambling (i.e.,rearranging the order of the bits of the keyword). Various additionaloperations are contemplated and may be included in other embodiments.

The bit field 301 “expiration date” includes bits 16-39 to form a 24 bitvalue. The 24 bit expiration date may correspond to a time of day (e.g.,7:15 PM) and/or a calendar date (e.g., February 24^(th)). In otherembodiments, an amount of time may be indicated rather than a time ofday, such as, for example, 10 seconds, 30 minutes, or one hour. At theexpiration date, or after the amount of time elapses, the keyword(s) maybe deleted and a new keyword or keywords requested. In some embodiments,the expiration date may be applied to a group or class of keywords.Examples of classes may include keywords generated within a given timeperiod, keywords associated with a given type of data, and keywordsassociated with a common peripheral.

The revocation bit field 301 consists of bits 40-47 of the data packetand may indicate a time period for updating a revocation list. Therevocation list may include a list of previously issued keywords thatare no longer valid, allowing a module to delete a previously receivedkeyword that is on the list. The revocation list may be updatedperiodically to add keywords that will no longer be accepted. The timeperiod for updating the list is referred to as a revocation epoch insome embodiments.

Bits 0-47 of the data packet may collectively form a policy value. Thepolicy value may include all policies to be applied to a correspondingkeyword or keywords. Other embodiments of a policy value may not belimited to the policies illustrated in FIG. 3 and may include anysuitable number of policies. Furthermore, in various embodiments, eachpolicy may consist of any suitable number of data bits of the datapacket.

In addition to the policy value, the data packet may include an“authentication” bit field 301, consisting of bits 48-175 and the“keyword(s)” bit field 301 consisting of bits 176-431. Theauthentication bit field may be a value used to authenticate thevalidity of the data packet. For example, the value may be equal to aresult of an HMAC function performed on one or more bit fields (i.e.,the keyword(s) and/or the policy value). The functional unit receivingthe data packet may perform a similar HMAC function on the same bitfields and compare the result to the authentication value. If the twovalues match, then the data packet may be considered valid. If not, thenthe data packet may be deleted and the functional unit may request thekeyword(s) to be resent.

The keyword(s) bit field may the value(s) of the keyword(s). In variousembodiments, the keyword(s) may be encrypted, scrambled, or otherwisemodified. In such embodiments, one or more operations may be performedbefore using the keyword(s). In some embodiments, the operations may beconsistent an all keyword data packets, and therefore they may not beindicated by the “additional operations” bit field. Any suitable numberof keywords may be sent in a data packet in various embodiments. In someembodiments, the size of this bit field may vary as needed for aparticular keyword, while in other embodiments, the bit field may be afixed size and any extraneous bits may be assigned a predeterminedvalue. In such an embodiment, the keyword size bit field may indicatethe actual size of the keyword.

It is noted that data format described by table 300 in FIG. 3 is merelyan example and is not intended to imply a limitation to embodimentsdisclosed herein. Other bit fields may be included and some bit fieldsmay be excluded. In various embodiments, each bit field may include adifferent number of bits that what is illustrated.

Turning now to FIG. 4, a flow diagram is presented to illustrate anembodiment of a method for generating a secure keyword that includes oneor more policies. Method 400 may be applied to operational aspects of asecurity enclave processor, such as, for example, the SEP 16 shown inFIG. 2. Referring collectively now to FIG. 1, FIG. 2, and FIG. 4, method400 may begin in block 401.

The SEP 16 may generate keyword (block 402). The SEP 16 may generate thekeyword in response to a request from a cryptographic unit in SOC 10(such as any of cryptographic units 38 in FIG. 1) or from acryptographic unit in another device coupled to SOC 10. In otherembodiments, an event other than a request may cause the SEP 16 togenerate the keyword. In some embodiments, the SEP 16 may generate morethan one keyword.

The method may depend on a determination if a policy should be appliedto the keyword (block 403). The determination may depend on variousfactors, such as, for example, the cryptographic unit requesting thekeyword, a type of event that triggered the generation of the keyword, atype of data with which the keyword is to be used, a type of algorithmwith which the keyword is to be used, or any other suitable factors. Forexample, the SEP 16 may be aware that the keyword is to be used toencrypt a user's credit card number, and in response the SEP 16 maydetermine that the keyword should be encrypted and scrambled beforesending. The SEP 16 may also determine that the keyword should only beused with a particular cryptographic algorithm and should only be validfor 15 minutes. If a policy is to be applied, then the method may moveto block 404 to add the policy to a policy value. Otherwise, if nopolicies are needed, or if all needed policies have been added, then themethod may move to block 405 to generate a message.

If a policy is needed, then the SEP 16 may determine a value for acorresponding bit field and add that value to the policy value (block404). A policy value may be initialized with a default, predeterminedvalue. If the SEP 16 determines at least one of the policies does notcorrespond to the default policy value in block 403, then a new valuemay be determined and the policy value may be updated. The method mayreturn to block 403 to determine if another policy should be applied.

If the SEP 16 determines that no further policies need to be applied tothe generated keyword, the SEP 16 may generate a message including thepolicy value and the keyword (block 405). The message may be generatedin the form of a data packet with a predetermined format, such as, forexample, the data format illustrated in FIG. 3. In addition to thekeyword and policy value, other data may be included in the data packet,such as an authentication value for the cryptographic unit receiving thepacket to determine if the received packet is valid. The authenticationvalue may include a result of a keyed hash algorithm performed on atleast some of the bits of the message.

The SEP 16 may send the message to one or more cryptographic units(block 406). If the SEP 16 generated the keyword in response to arequest from a single cryptographic unit, the SEP 16 may send themessage to that single requestor via secure bus 72. In otherembodiments, the SEP 16 may identify more than one cryptographic unitthat should receive the keyword and, therefore, send the message viasecure bus 72 to each of the identified cryptographic units. In someembodiments, the SEP 16 may broadcast the message to multiplecryptographic units by first sending the message to a processor in CPUcomplex 14. The processor may then forward the message to a list ofcryptographic units or store the message in a memory accessible by thecryptographic units, relying on the policy and encryption to limit usageof the included keyword to appropriate cryptographic units. In such abroadcast mode, the appropriate cryptographic units may receive awrapping key via the secure bus 72. The method may end in block 407.

It is noted that, method 400 of FIG. 4 is merely an example. In otherembodiments, a different number of operations may be included ordifferent orders or operations may be employed. In some embodiments,some of the operations may be performed in parallel.

Moving to FIG. 5, a flow diagram is presented to illustrate anembodiment of a method for receiving a secure keyword that includes oneor more policies. Method 500 may be applied to operational aspects of acryptographic unit, such as, for example, a given one of thecryptographic units 38 shown in FIG. 1. Referring collectively now toFIG. 1 and FIG. 5, method 500 may begin in block 501.

The given cryptographic unit 38 may receive a message from a securityunit, such as, for example, the SEP 16 (block 502). The givencryptographic unit 38 may have requested a keyword or may have receiveddata encrypted with the keyword. In some embodiments, the message maynot come directly from the security unit, but instead from anotherperipheral or functional unit in SOC 10. For example, peripheral 18B mayreceive data and a corresponding message from CPU complex 14. CPUcomplex 14 may receive the message from SEP 16 and then forward it toperipheral 18B.

The given cryptographic unit 38 may extract a keyword and a policy valuefrom the message (block 503). The received message may conform to apredetermined format, such as, for example, the format shown in FIG. 3,allowing the given cryptographic unit 38 to extract at least a keywordand a policy value from the message. The given cryptographic unit 38 mayalso extract additional information, such as an authentication value.

The method may depend on the authentication value (block 504). The givencryptographic unit 38 may determine if the received policy is validdependent on the authentication value. An HMAC algorithm may beperformed by the given cryptographic unit 38 and the result compared tothe authentication value extracted from the message. If the resultmatches the authentication value, then the message is valid and themethod may move to block 505 to apply the policy. Otherwise, the messagemay have been corrupted or may have been generated by an unauthorizedsource, in which case, the method may move to block 509 to discard thekeyword.

The method may depend on the extracted policy value (block 505). Onceextracted, the policy value may include indications if one or morepolicies are to be applied to the corresponding keyword. The givencryptographic unit 38 may determine if a given policy is to be applied,such as the additional operations described above in regards to FIG. 3.The given cryptographic unit 38 may also determine a value for otherpolicies such as keyword size. If no further policies are to be applied,then the method may move to block 506 to determine if the keyword isvalid. Otherwise, the method may move to block 505 to apply a determinedpolicy.

The given cryptographic unit 38 may apply a policy to the keyword (block506). The given cryptographic unit 38 may determine a given policy is tobe applied, such as for example, the keyword may be limited to aparticular cryptographic algorithm. In some embodiments, the policiesmay be implemented by setting or clearing a corresponding register bitin the given cryptographic unit 38. In other embodiments, the policiesmay be implemented by saving a predetermined value to a correspondingmemory location. The method may return to block 504 to determine iffurther policies are to be applied.

Once the given cryptographic unit 38 determines all policies included inthe policy value have been applied, the method may depend on adetermination if the keyword is valid per the applied policies (block507). The applied policies may, in some embodiments, result in a keywordthat is invalid for the given cryptographic unit 38. For example, onepolicy may indicate that only certain cryptographic units 38 may use theassociated keyword. If the given cryptographic unit 38 is not one of theindicated cryptographic units 38 (for example, the received message wasreceived as a broadcast message from the SEP 16), then the keyword maybe determined to be invalid for the given cryptographic unit 38. Asanother example, one policy may determine that the keyword is only foruse with a particular cryptographic algorithm. If the givencryptographic unit 38 does not support the particular cryptographicalgorithm, then the keyword may again be determined to be invalid forthe given cryptographic unit 38. It is noted, that in such examples, thekeyword may be still be valid for other cryptographic units 38. If thekeyword is determined to be invalid, then the method may discard thekeyword in block 508. Otherwise, the method may use the keyword in block507.

If the keyword is determined to be valid per the policies, then thegiven cryptographic unit 38 may use the keyword in accordance with thedetermined policies (block 508). In some embodiments, the determinedpolicies may include additional operations to be performed to thekeyword before use, such as, for example, decrypting and/or descramblingthe keyword. In addition, the received message may also include anauthentication value which may need to be validated before the keywordcan be used. The method may end in block 509.

If the keyword is determined to be invalid per the policies in block507, or fails authentication in block 504, then the given cryptographicunit 38 may discard the keyword (block 509). In various embodiments,discarding the keyword may include any combination of setting orclearing a given register bit, setting a given memory location to apredetermined value, and overwriting the received keyword with a givenvalue. The method may end in block 510.

It is noted that, method 500 illustrated in FIG. 5 is merely an examplefor demonstrating the disclosed concepts. In other embodiments,different operations and different orders of operations are possible andcontemplated.

Turning to FIG. 6, a block diagram of one embodiment of a system thatincludes the SOC of FIG. 1 is shown. The system 600 includes anintegrated circuit 610, which may correspond to an instance of the SOC10 of FIG. 1, coupled to one or more peripherals 607 and a system memory605. The system 600 also includes a power supply 601 that may provideone or more supply voltages to the integrated circuit 610 as well as oneor more supply voltages to the memory 605 and/or the peripherals 607. Insome embodiments, more than one instance of the integrated circuit 610may be included.

The peripherals 607 may include any desired circuitry, depending on thetype of system. For example, in one embodiment, the system 600 may beincluded in a mobile device (e.g., personal digital assistant (PDA),smart phone, etc.) and the peripherals 607 may include devices forvarious types of wireless communication, such as Wi-Fi, Bluetooth,cellular, global positioning system, etc. The peripherals 607 may alsoinclude additional storage, including RAM storage, solid-state storage,or disk storage. The peripherals 607 may include user interface devicessuch as a display screen, including touch display screens or multi-touchdisplay screens, keyboard or other input devices, microphones, speakers,etc. In other embodiments, the system 600 may be included in any type ofcomputing system (e.g. desktop personal computer, laptop, workstation,net top etc.).

The system memory 605 may include any type of memory. For example, asdescribed above in conjunction with FIG. 1, the system memory 605 may bein the DRAM family such as synchronous DRAM (SDRAM), double data rate(DDR, DDR2, DDR3, etc.), or any low power version thereof. However,system memory 605 may also be implemented in static RAM (SRAM), or othertypes of RAM, etc.

Although the embodiments above have been described in considerabledetail, numerous variations and modifications will become apparent tothose skilled in the art once the above disclosure is fully appreciated.It is intended that the following claims be interpreted to embrace allsuch variations and modifications.

What is claimed is:
 1. An apparatus comprising: a peripheral circuit,included in a system-on-a-chip, that includes: an interface controlcircuit configured to receive an electronic message including acryptographic keyword and a policy value, wherein the policy valueincludes one or more data bits indicative of one or more policies thatdefine allowable usage of the cryptographic keyword; and a securitycircuit configured to: extract the cryptographic keyword and the policyvalue from the electronic message; perform an authentication of theelectronic message to determine if the electronic message is valid;apply at least one policy of the one or more policies to usage of thecryptographic keyword in response to a determination that theauthentication of the electronic message succeeded; and delete thecryptographic keyword in response to a determination that theauthentication of the electronic message failed.
 2. The apparatus ofclaim 1, wherein the electronic message includes two or more datapackets.
 3. The apparatus of claim 1, wherein to determine if theauthentication of the electronic message succeeded, the security circuitis further configured to: utilize a keyed-hash message authenticationcode (HMAC) algorithm to generate a hash value of the electronicmessage; and compare the hash value to an authentication value includedin the electronic message.
 4. The apparatus of claim 1, wherein theelectronic message includes a second cryptographic keyword and thepolicy value includes an indication to use the second cryptographickeyword, and wherein to apply the at least one policy to the usage ofthe cryptographic keyword, the security circuit is further configured touse the second cryptographic keyword.
 5. The apparatus of claim 1,wherein the policy value includes an indication that the cryptographickeyword is encrypted, and wherein to apply the at least one policy tothe cryptographic keyword, the security circuit is further configured todecrypt the cryptographic keyword before using the cryptographickeyword.
 6. The apparatus of claim 1, wherein the policy value includesan indication of an amount of time for which the cryptographic keywordis allowed to be used, and wherein to apply the at least one policy, thesecurity circuit is further configured to delete the cryptographickeyword in response to a determination that the amount of time haselapsed.
 7. The apparatus of claim 1, wherein the policy value includesan indication that the cryptographic keyword is restricted to decryptionusage, and wherein to apply the at least one policy to the usage of thecryptographic keyword, the security circuit is further configured todecrypt encrypted data using the cryptographic keyword.
 8. A method,directed to a a peripheral circuit included in a system-on-a-chip,comprising: receiving, by the peripheral circuit, an electronic messagethat includes a cryptographic keyword and a policy value, wherein thepolicy value includes one or more data bits indicative of one or morepolicies that define allowable usage of the cryptographic keyword;extracting, by a security circuit in the peripheral circuit, thecryptographic keyword and the policy value from the electronic message;authenticating the electronic message to determine if the electronicmessage is valid; applying at least one policy of the one or morepolicies to usage of the cryptographic keyword in response todetermining that authenticating the electronic message succeeded; andotherwise deleting the cryptographic keyword in response to determiningthat authenticating the electronic message failed.
 9. The method ofclaim 8, wherein authenticating the electronic message comprises:performing a keyed-hash message authentication code (HMAC) algorithm onthe electronic message; and comparing a result of the HMAC algorithm toan authentication value included in the electronic message.
 10. Themethod of claim 8, wherein applying the at least one policy includesselecting, based on the policy value, one of a plurality ofcryptographic algorithms that is approved for use with the cryptographickeyword.
 11. The method of claim 8, wherein applying the at least onepolicy comprises: determining, based on the policy value, a time periodfor updating a revocation list; in response to determining that the timeperiod has elapsed, updating the revocation list; and in response todetermining that the cryptographic keyword is on the updated revocationlist, deleting the cryptographic keyword.
 12. The method of claim 8,wherein applying the at least one policy includes descrambling, based onthe policy value, the cryptographic keyword.
 13. The method of claim 8,wherein applying the at least one policy includes combining, based onthe policy value, the cryptographic keyword with a second cryptographickeyword included in the electronic message.
 14. A system-on-a-chipcomprising: a security processor configured to: generate a cryptographickeyword; create a policy value including one or more data bitsindicative of one or more policies that indicate allowable usage of thecryptographic keyword; and send a electronic message including thecryptographic keyword and the policy value; a plurality of peripheralcircuits, wherein at least one of the plurality of peripheral circuitsincludes a security circuit that is configured to: receive theelectronic message from the security processor; extract thecryptographic keyword and the policy value from the electronic message;and perform an authentication of the electronic message to determine ifthe electronic message is valid; apply at least one policy of the one ormore policies to usage of the cryptographic keyword in response to adetermination that the authentication of the electronic messagesucceeded; and delete the cryptographic keyword in response to adetermination that the authentication of the electronic message failed.15. The system-on-a-chip of claim 14, wherein the policy value includesan indication of a subset of the plurality of peripheral circuits thatare allowed to use the cryptographic keyword, and wherein to apply theat least one policy to the usage of the cryptographic keyword, a firstperipheral circuit of the plurality of peripheral circuits is configuredto use the cryptographic keyword in response to a determination that thefirst peripheral circuit is included in the subset.
 16. Thesystem-on-a-chip of claim 15, wherein to apply the at least one policyto the usage of the cryptographic keyword, a second peripheral circuitof the plurality of peripheral circuits is configured to delete thecryptographic keyword in response to a determination that the secondperipheral circuit is excluded from the subset.
 17. The system-on-a-chipof claim 15, wherein the policy value includes an indication that thecryptographic keyword is restricted to encryption usage, and wherein toapply the at least one policy to the usage of the cryptographic keyword,the first peripheral circuit is further configured to encrypt data usingthe cryptographic keyword.
 18. The system-on-a-chip of claim 15, whereinthe policy value includes an indication of a time of day, and wherein toapply the at least one policy to the usage of the cryptographic keyword,the first peripheral circuit is further configured to delete thecryptographic keyword in response to a determination that a current timeis equal to the indicated time of day.
 19. The system-on-a-chip of claim15, wherein the electronic message includes a second cryptographickeyword, and wherein to apply the at least one policy to the usage ofthe cryptographic keyword, the first peripheral circuit is furtherconfigured to, based on the policy value, combine the cryptographickeyword with the second cryptographic keyword to generate a thirdcryptographic keyword.
 20. The system-on-a-chip of claim 15, wherein thepolicy value includes an indication of a number of bits in thecryptographic keyword, and wherein to apply the at least one policy tothe usage of the cryptographic keyword, the first peripheral circuit isfurther configured to extract the indicated number of bits from a bitfield in the electronic message that includes the cryptographic keyword.